Why should we require that alg-ids be registered URIs?
That's not my concern - the existing first paragraph of the IANA
considerations section in the draft requires IANA registration (or at
least tries to) by pointing to the PSKC registry. My concern is that
if this is going to be done, it needs to be done right (duh!), and the
current text is insufficient. Please take the issue of whether to use
IANA for this purpose up with Gareth and the WG.
I have no problem with the IETF registering its algorithms there, or
us
encouraging people to register them there, but it's a URI. What
purpose
is served by forcing registration?
Hmm - more than one URI for the same algorithm might cause
interoperability problems.
-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf(_at_)mit(_dot_)edu]
Sent: Wednesday, August 24, 2011 10:04 PM
To: Black, David
Cc: Richards, Gareth; gen-art(_at_)ietf(_dot_)org;
ietf(_at_)ietf(_dot_)org; ietf-krb-
wg(_at_)lists(_dot_)anl(_dot_)gov; hartmans-
ietf(_at_)mit(_dot_)edu; stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie
Subject: Re: Gen-ART review of draft-ietf-krb-wg-otp-preauth-18
<david(_dot_)black(_at_)emc(_dot_)com> writes:
> [1] In section 6.1 at the top of p.28, I don't believe that the
> use of lower case "recommended" is a strong enough warning
about
> the danger in using anonymous PKINIT because it exposes the OTP
> value:
> It is therefore recommended that anonymous PKINIT not be
used
> with OTP algorithms that require the OTP value to be sent to
the
> KDC and that careful consideration be made of the security
> implications before it is used with other algorithms such as
those
> with short OTP values.
> At a minimum, that warning should be in upper-case:
> It is therefore RECOMMENDED that anonymous PKINIT not be
used
> with OTP algorithms that require the OTP value to be sent to
the
> KDC. In addition, the security implications should be carefully
> considered before anonymous PKINIT is used with other
algorithms
> such as those with short OTP values.
> Beyond that, the security issue in the first sentence may be
> severe enough to justify a prohibition, so the following would
> also be acceptable:
> Therefore anonymous PKINIT SHALL NOT be used with OTP
> algorithms that require the OTP value to be sent to the KDC. In
> addition, the security implications should be carefully
considered
> before anonymous PKINIT is used with other algorithms such as
> those with short OTP values.
I definitely agree that we should use RFC 2119 language.
Note that WG participants have questioned this text in last call for
other reasons.
Many implementations use anonymous pkinit in a mode where the KDC's
certificate is verified--that is the client is anonymous but the KDC
is
identified through a PKI.
WG participants believe (and I agree) that the security concern does
not
apply at all in this case.
So, the text needs reworking.
> [2] In section 5, the first paragraph in the IANA
considerations
> is unclear, and following its reference to section 4.1, I don't
> see any clarifying text there either. I think Sections 4.1 and
> 4.2 need to say that the value of otp-algID is a URI obtained
from
> the PSKC Algorithm URI Registry, and the first paragraph in
> section 5 should say that URIs for otp-algID are to be
registered
> in that registry, see RFC 6030.
Why should we require that alg-ids be registered URIs? I.E. what is
wrong with me using
http://algorithms.painless-security.com/otp/best-thing-since-
unsliced-bread
(or a tag URI if you like) for my OTP algorithm?
I have no problem with the IETF registering its algorithms there, or
us
encouraging people to register them them, but it's a URI. What
purpose
is served by forcing registration?